当我运行testcase程序时,我的两个str29和str32测试用例都失败了,所以我需要正则表达式模式,它可以成功完成所有测试用例。
我的测试课程如下:
package com.csam.wsc.enabling.core.util.test;
import java.util.regex.Pattern;
public class RegularExTest {
private static Pattern xssAttackPattern;
// this pattern for whilte list character
private static final String XSS_ATTACK_REGULAR_EXPRESSION = "([A-Za-z0-9,()[\\\\]{}\\\":./_\\\\s]|(?<!-)-)*";
public static void main(String arg[]) {
testSQLOrXSSInjectionAsWhiteListApproach();
}
private static Pattern getXSSAttackPattern() {
xssAttackPattern = Pattern.compile(XSS_ATTACK_REGULAR_EXPRESSION);
return xssAttackPattern;
}
public static boolean hasXSSAttackOrSQLInjection(String value) {
if (getXSSAttackPattern().matcher(value).matches())
return false;
return true;
}
public static void testSQLOrXSSInjectionAsWhiteListApproach() {
String str0 = "";
String str1 = ",:4,5}{A{,}1{}r,'ee4534:r,p],[A},{1}}{A{,}345:,";
String str2 = "a";
String str3 = "A#";
String str4 = "#";
String str5 = "#'";
String str6 = "123";
String str7 = "As";
String str8 = "{#}";
String str9 = "#{}";
String str10 = "!";
String str11 = "'124";
String str12 = "123'";
String str13 = "'";
String str14 = "''";
String str15 = "Hello";
String str16 = "<>";
String str17 = "<>/?\":;";
String str18 = "!@#$%^&*()_+}{|\":<>?,./[]\\";
String str19 = "Good";
String str20 = "A\\%27";
String str21 = ".";
String str22 = "/";
String str23 = "_";
String str24 = ".'";
String str25 = "/_";
String str26 = "_.";
String str27 = "http://rss.cnn.com/rss/edition_business.rss";
String str28 = "http://rss.cnn.com/rss/edition_business.rss?id=121132511$@#$@$@#%242444+gfghgfhg";
String str29 = "Communication in progress...";
String str30 = "(";
String str31 = ")";
String str32 = "(.:[]{} ";
String str33 = "(.:[]{} #";
String str34 = "&";
String str35 = "$";
String str36 = "-dsfdsfddsfd2112212s";
String str37 = "--dsfdsfddsfd2112212s";
String str38 = "-dsfdsfdd-sfd2112212s";
String str39 = "--";
String str40 = "-";
assertFalse(str0);
assertTrue(str1);
assertFalse(str2);
assertTrue(str3);
assertTrue(str4);
assertTrue(str5);
assertFalse(str6);
assertFalse(str7);
assertTrue(str8);
assertTrue(str9);
assertTrue(str10);
assertTrue(str11);
assertTrue(str12);
assertTrue(str13);
assertTrue(str14);
assertFalse(str15);
assertTrue(str16);
assertTrue(str17);
assertTrue(str18);
assertFalse(str19);
assertTrue(str20);
assertFalse(str21);
assertFalse(str22);
assertFalse(str23);
assertTrue(str24);
assertFalse(str25);
assertFalse(str26);
assertFalse(str27);
assertTrue(str28);
assertFalse(str29);
assertFalse(str30);
assertFalse(str31);
assertFalse(str32);
assertTrue(str33);
assertTrue(str34);
assertTrue(str35);
assertFalse(str36);
assertTrue(str37);
assertFalse(str38);
assertTrue(str39);
assertFalse(str40);
}
public static void assertFalse(String value) {
boolean result = hasXSSAttackOrSQLInjection(value);
String var = "undefined";
if (result == false) {
var = "success";
} else {
var = "fail";
}
System.out.println("For given string -> " + value + " -> " + var);
}
public static void assertTrue(String value) {
boolean result = hasXSSAttackOrSQLInjection(value);
String var = "undefined";
if (result == true) {
var = "success";
} else {
var = "fail";
}
System.out.println("For given string -> " + value + " -> " + var);
}
}
答案 0 :(得分:0)
这是你的正则表达式作为字符串文字:
"([A-Za-z0-9,()[\\\\]{}\\\":./_\\\\s]|(?<!-)-)*"
真正的正则表达式是:
([A-Za-z0-9,()[\\]{}\":./_\\s]|(?<!-)-)*
我在这里看到两个主要问题。
与大多数版本不同,Java允许您在另一个角色类中嵌入角色类。您的正则表达式与方括号([或])不匹配,因为[\\]被解释为与反斜杠匹配的嵌入字符类。
\\\\s变为\\s。你可能意味着\s是空格字符的类简写,但它实际上是一个字面反斜杠,后跟s。
您需要转义方括号并修复\s的转义。此正则表达式匹配所有示例字符串:
([A-Za-z0-9,()\[\]{}":./_\s\\]|(?<!-)-)*
当我创建一个带有文字反斜杠的字符类时,我喜欢将反斜杠放在最后。我发现这种方式更容易阅读,如果我搞砸了,它更可能抛出异常,而不是默默地匹配错误的东西。
另请注意,对于正则表达式解析器,引号(")不需要进行转义,仅适用于Java解析器。这意味着你只需要在字符串文字中使用一个反斜杠,而不是三个。这是你的正则表达式的最终字符串文字形式:
"([A-Za-z0-9,()\\[\\]{}\":./_\\s\\\\]|(?<!-)-)*"